Permalink
Browse files

Fix for not considering escape paramter for content_tag_string and te…

…sts to check that
  • Loading branch information...
1 parent 885eca0 commit fe1ee96cb7fc3e2800dc418e301367a994f2c922 @marklazz marklazz committed Aug 21, 2010
Showing with 22 additions and 1 deletion.
  1. +1 −1 lib/rails_xss/action_view.rb
  2. +21 −0 test/tag_helper_test.rb
@@ -33,7 +33,7 @@ def simple_format_with_escaping(text, html_options = {})
module TagHelper
private
def content_tag_string_with_escaping(name, content, options, escape = true)
- content_tag_string_without_escaping(name, ERB::Util.h(content), options, escape)
+ content_tag_string_without_escaping(name, escape ? ERB::Util.h(content) : content, options, escape)
end
alias_method_chain :content_tag_string, :escaping
end
View
@@ -0,0 +1,21 @@
+require 'test_helper'
+
+class TagHelperTest < ActionView::TestCase
+
+ def test_content_tag
+ assert_equal "<a href=\"create\">Create</a>", content_tag("a", "Create", "href" => "create")
+ assert content_tag("a", "Create", "href" => "create").html_safe?
+ assert_equal content_tag("a", "Create", "href" => "create"),
+ content_tag("a", "Create", :href => "create")
+ assert_equal "<p>&lt;script&gt;evil_js&lt;/script&gt;</p>",
+ content_tag(:p, '<script>evil_js</script>')
+ assert_equal "<p><script>evil_js</script></p>",
+ content_tag(:p, '<script>evil_js</script>', nil, false)
+ end
+
+ def test_tag_honors_html_safe_for_param_values
+ ['1&amp;2', '1 &lt; 2', '&#8220;test&#8220;'].each do |escaped|
+ assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped.html_safe)
+ end
+ end
+end

0 comments on commit fe1ee96

Please sign in to comment.